Add more sigv4/s3e cleanup

Author: mtdowling

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/CreateSessionCallback.java

@@ -16,7 +16,7 @@
  * <pre>{@code
  * (bucket, baseCreds) -> {
  *     var resp = s3Client.createSession(CreateSessionInput.builder().bucket(bucket).build());
- *     return S3ExpressIdentity.create(
+ *     return AwsCredentialsIdentity.create(
  *         resp.credentials().accessKeyId(),
  *         resp.credentials().secretAccessKey(),
  *         resp.credentials().sessionToken(),
@@ -29,5 +29,5 @@
  */
 @FunctionalInterface
 public interface CreateSessionCallback {
-    S3ExpressIdentity createSession(String bucket, AwsCredentialsIdentity baseCredentials);
+    AwsCredentialsIdentity createSession(String bucket, AwsCredentialsIdentity baseCredentials);
 }

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3DisableExpressSessionAuthResolver.java

@@ -9,7 +9,6 @@
 import software.amazon.smithy.java.aws.config.AwsProfileFile;
 import software.amazon.smithy.java.client.core.ClientConfig;
 import software.amazon.smithy.java.client.core.ClientPlugin;
-import software.amazon.smithy.utils.SmithyUnstableApi;
 
 /**
  * Plugin that resolves the {@code DisableS3ExpressSessionAuth} setting from environment and
@@ -29,13 +28,12 @@
  *
  * <p>Only {@code true} or {@code false} are accepted; anything else throws.
  */
-@SmithyUnstableApi
-public final class S3DisableExpressSessionAuthResolver implements ClientPlugin {
+final class S3DisableExpressSessionAuthResolver implements ClientPlugin {
 
     private static final String ENV_VAR = "AWS_S3_DISABLE_EXPRESS_SESSION_AUTH";
     private static final String PROFILE_PROPERTY = "s3_disable_express_session_auth";
 
-    public static final S3DisableExpressSessionAuthResolver INSTANCE = new S3DisableExpressSessionAuthResolver();
+    static final S3DisableExpressSessionAuthResolver INSTANCE = new S3DisableExpressSessionAuthResolver();
 
     private S3DisableExpressSessionAuthResolver() {}
 
@@ -90,8 +88,7 @@ private static String profileName() {
     private static boolean parseBoolean(String value, String source) {
         if ("true".equalsIgnoreCase(value)) {
             return true;
-        }
-        if ("false".equalsIgnoreCase(value)) {
+        } else if ("false".equalsIgnoreCase(value)) {
             return false;
         }
         throw new IllegalArgumentException(

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressAuthScheme.java

@@ -9,6 +9,7 @@
 import software.amazon.smithy.java.auth.api.identity.IdentityResolver;
 import software.amazon.smithy.java.auth.api.identity.IdentityResolvers;
 import software.amazon.smithy.java.aws.auth.api.identity.AwsCredentialsIdentity;
+import software.amazon.smithy.java.aws.client.auth.scheme.sigv4.SigV4Settings;
 import software.amazon.smithy.java.aws.client.core.settings.RegionSetting;
 import software.amazon.smithy.java.client.core.auth.scheme.AuthScheme;
 import software.amazon.smithy.java.context.Context;
@@ -18,19 +19,13 @@
 /**
  * Auth scheme for S3 Express directory-bucket data-plane requests.
  *
- * <p>The endpoint rules emit this auth scheme with the wire name {@code sigv4-s3express}, but
- * we expose it through smithy-java as {@code aws.auth#sigv4S3express} because Smithy ShapeIds
- * cannot contain hyphens. {@link
- * software.amazon.smithy.java.aws.client.rulesengine.AwsRulesExtension} translates the wire name
- * to this id when reading endpoint properties.
- *
  * <p>The identity is bucket-scoped session credentials returned by S3's {@code CreateSession}
  * API; the signer uses regular SigV4 with the session token sent as
  * {@code x-amz-s3session-token} (instead of {@code x-amz-security-token}).
  */
-public final class S3ExpressAuthScheme implements AuthScheme<HttpRequest, S3ExpressIdentity> {
+final class S3ExpressAuthScheme implements AuthScheme<HttpRequest, AwsCredentialsIdentity> {
 
-    public static final ShapeId SCHEME_ID = ShapeId.from("aws.auth#sigv4S3express");
+    static final ShapeId SCHEME_ID = ShapeId.from("aws.auth#sigv4S3express");
 
     private static final String DEFAULT_SIGNING_NAME = "s3express";
 
@@ -45,11 +40,11 @@ public final class S3ExpressAuthScheme implements AuthScheme<HttpRequest, S3Expr
     /**
      * @param createSession bridge to the user's S3 client's CreateSession operation.
      */
-    public S3ExpressAuthScheme(CreateSessionCallback createSession) {
+    S3ExpressAuthScheme(CreateSessionCallback createSession) {
         this(DEFAULT_SIGNING_NAME, createSession);
     }
 
-    public S3ExpressAuthScheme(String signingName, CreateSessionCallback createSession) {
+    S3ExpressAuthScheme(String signingName, CreateSessionCallback createSession) {
         this.signingName = signingName;
         this.createSession = createSession;
     }
@@ -65,8 +60,8 @@ public Class<HttpRequest> requestClass() {
     }
 
     @Override
-    public Class<S3ExpressIdentity> identityClass() {
-        return S3ExpressIdentity.class;
+    public Class<AwsCredentialsIdentity> identityClass() {
+        return AwsCredentialsIdentity.class;
     }
 
     @Override
@@ -75,11 +70,12 @@ public Context getSignerProperties(Context context) {
         // overrides from the resolved endpoint on top of these. The values stamped here are the
         // defaults the signer falls back to when the endpoint didn't override.
         var ctx = Context.create();
-        ctx.put(software.amazon.smithy.java.aws.client.auth.scheme.sigv4.SigV4Settings.SIGNING_NAME, signingName);
+        ctx.put(SigV4Settings.SIGNING_NAME, signingName);
+        ctx.put(SigV4Settings.OMIT_SECURITY_TOKEN, true);
         ctx.put(RegionSetting.REGION, context.expect(RegionSetting.REGION));
-        var clock = context.get(software.amazon.smithy.java.aws.client.auth.scheme.sigv4.SigV4Settings.CLOCK);
+        var clock = context.get(SigV4Settings.CLOCK);
         if (clock != null) {
-            ctx.put(software.amazon.smithy.java.aws.client.auth.scheme.sigv4.SigV4Settings.CLOCK, clock);
+            ctx.put(SigV4Settings.CLOCK, clock);
         }
         return Context.unmodifiableView(ctx);
     }
@@ -107,32 +103,25 @@ public Context getIdentityProperties(Context context) {
     }
 
     @Override
-    public Signer<HttpRequest, S3ExpressIdentity> signer() {
+    public Signer<HttpRequest, AwsCredentialsIdentity> signer() {
         return S3ExpressSigner.create(signingName);
     }
 
     @Override
-    public IdentityResolver<S3ExpressIdentity> identityResolver(IdentityResolvers resolvers) {
-        // If the user registered their own S3ExpressIdentity resolver (e.g. via
-        // ClientConfig.Builder#addIdentityResolver), prefer it. This is the override hook the
-        // SEP recommends: customers can supply a custom CreateSession-compatible provider for
-        // alternate caching, observability, or sourcing strategies.
-        IdentityResolver<S3ExpressIdentity> override = resolvers.identityResolver(S3ExpressIdentity.class);
-        if (override != null) {
-            return override;
-        }
-
+    public IdentityResolver<AwsCredentialsIdentity> identityResolver(IdentityResolvers resolvers) {
         IdentityResolver<AwsCredentialsIdentity> base = resolvers.identityResolver(AwsCredentialsIdentity.class);
         if (base == null) {
             return null;
         }
+
         // Lock-free fast path for the common case where the same IdentityResolvers is passed
         // every call. If the base resolver instance changes (rare; it's a property of the
         // client's IdentityResolvers registry which doesn't change after build), rebuild.
         S3ExpressIdentityProvider local = provider;
         if (local != null && providerBase == base) {
             return local;
         }
+
         synchronized (this) {
             if (provider == null || providerBase != base) {
                 providerBase = base;

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressBucketInterceptor.java

@@ -20,23 +20,21 @@
  *
  * <p>Runs in {@code readBeforeExecution}, before any auth-resolution stage.
  */
-public final class S3ExpressBucketInterceptor implements ClientInterceptor {
+final class S3ExpressBucketInterceptor implements ClientInterceptor {
 
-    /** Singleton; the interceptor holds no state. */
-    public static final S3ExpressBucketInterceptor INSTANCE = new S3ExpressBucketInterceptor();
+    static final S3ExpressBucketInterceptor INSTANCE = new S3ExpressBucketInterceptor();
 
     private S3ExpressBucketInterceptor() {}
 
     @Override
     public void readBeforeExecution(InputHook<?, ?> hook) {
         var inputSchema = hook.operation().inputSchema();
         var bucketMember = inputSchema.member("Bucket");
-        if (bucketMember == null) {
-            return;
-        }
-        Object bucket = hook.input().getMemberValue(bucketMember);
-        if (bucket instanceof String s && !s.isEmpty()) {
-            hook.context().put(S3ExpressContext.BUCKET, s);
+        if (bucketMember != null) {
+            Object bucket = hook.input().getMemberValue(bucketMember);
+            if (bucket instanceof String s && !s.isEmpty()) {
+                hook.context().put(S3ExpressContext.BUCKET, s);
+            }
         }
     }
 }

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressChecksumInterceptor.java

@@ -61,6 +61,7 @@ public <RequestT> RequestT modifyBeforeSigning(RequestHook<?, ?, RequestT> hook)
         if (hook.context().get(S3ExpressContext.BUCKET) == null) {
             return hook.request();
         }
+
         if (!(hook.request() instanceof HttpRequest req)) {
             return hook.request();
         }
@@ -78,6 +79,7 @@ public <RequestT> RequestT modifyBeforeSigning(RequestHook<?, ?, RequestT> hook)
         if (body == null || body.contentLength() == 0) {
             return hook.request();
         }
+
         if (!body.isReplayable() || !body.hasByteBuffer()) {
             // Streaming or non-replayable body — supporting it requires multi-chunk framing,
             // which AwsChunkedDataStream doesn't do yet. Skip the wrapping; SigV4 will fall
@@ -106,12 +108,14 @@ private static boolean alreadyHasChecksum(HttpRequest req) {
         if (req.headers().hasHeader(TRAILER_HEADER)) {
             return true;
         }
+
         var present = new boolean[1];
         req.headers().forEachEntry(present, (state, name, value) -> {
             if (name.startsWith(CHECKSUM_HEADER_PREFIX)) {
                 state[0] = true;
             }
         });
+
         return present[0];
     }
 }

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressContext.java

@@ -11,7 +11,6 @@
  * Context keys used by the S3 Express auth scheme to communicate per-call data.
  */
 public final class S3ExpressContext {
-
     /**
      * Bucket name on the in-flight request. Must be set by an interceptor that pulls the value
      * from the input shape before the auth pipeline asks for an identity. The

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressFeatureId.java

@@ -10,8 +10,7 @@
 /**
  * Business-metric IDs published when this module's auth scheme runs successfully.
  */
-public enum S3ExpressFeatureId implements FeatureId {
-
+enum S3ExpressFeatureId implements FeatureId {
     /**
      * Emitted on every operation call that resolves a bucket-scoped S3 Express identity.
      */

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentity.java

@@ -10,6 +10,7 @@
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Function;
 import software.amazon.smithy.java.auth.api.identity.CachingIdentityResolver;
+import software.amazon.smithy.java.aws.auth.api.identity.AwsCredentialsIdentity;
 
 /**
  * Bucket-keyed cache of S3 Express identity resolvers.
@@ -44,13 +45,13 @@ final class S3ExpressIdentityCache implements AutoCloseable {
     private final ConcurrentHashMap<S3ExpressIdentityKey, Entry> entries = new ConcurrentHashMap<>();
     private final ReentrantLock writeLock = new ReentrantLock();
     private final AtomicLong tick = new AtomicLong();
-    private final Function<S3ExpressIdentityKey, CachingIdentityResolver<S3ExpressIdentity>> factory;
+    private final Function<S3ExpressIdentityKey, CachingIdentityResolver<AwsCredentialsIdentity>> factory;
 
-    S3ExpressIdentityCache(Function<S3ExpressIdentityKey, CachingIdentityResolver<S3ExpressIdentity>> factory) {
+    S3ExpressIdentityCache(Function<S3ExpressIdentityKey, CachingIdentityResolver<AwsCredentialsIdentity>> factory) {
         this.factory = factory;
     }
 
-    CachingIdentityResolver<S3ExpressIdentity> get(S3ExpressIdentityKey key) {
+    CachingIdentityResolver<AwsCredentialsIdentity> get(S3ExpressIdentityKey key) {
         Entry e = entries.get(key);
         if (e != null) {
             e.lastAccess = tick.incrementAndGet();
@@ -59,7 +60,7 @@ CachingIdentityResolver<S3ExpressIdentity> get(S3ExpressIdentityKey key) {
         return getOrCreate(key);
     }
 
-    private CachingIdentityResolver<S3ExpressIdentity> getOrCreate(S3ExpressIdentityKey key) {
+    private CachingIdentityResolver<AwsCredentialsIdentity> getOrCreate(S3ExpressIdentityKey key) {
         writeLock.lock();
         try {
             Entry e = entries.get(key);
@@ -129,13 +130,13 @@ private static void closeQuietly(AutoCloseable c) {
     }
 
     private static final class Entry {
-        final CachingIdentityResolver<S3ExpressIdentity> resolver;
+        final CachingIdentityResolver<AwsCredentialsIdentity> resolver;
 
         // Volatile so concurrent readers see updated values; races on simultaneous writes are
         // benign (we only use this for approximate ordering of eviction).
         volatile long lastAccess;
 
-        Entry(CachingIdentityResolver<S3ExpressIdentity> resolver, long lastAccess) {
+        Entry(CachingIdentityResolver<AwsCredentialsIdentity> resolver, long lastAccess) {
             this.resolver = resolver;
             this.lastAccess = lastAccess;
         }

aws/aws-sigv4-s3express/src/main/java/software/amazon/smithy/java/aws/client/auth/scheme/s3express/S3ExpressIdentityCache.java

@@ -30,11 +30,11 @@ final class S3ExpressIdentityKey {
     S3ExpressIdentityKey(String bucket, AwsCredentialsIdentity identity) {
         this.bucket = Objects.requireNonNull(bucket, "bucket");
         this.identity = Objects.requireNonNull(identity, "identity");
-        this.hash = Objects.hash(
-                bucket,
-                identity.accessKeyId(),
-                identity.secretAccessKey(),
-                identity.sessionToken());
+        int h = bucket.hashCode();
+        h = 31 * h + identity.accessKeyId().hashCode();
+        h = 31 * h + identity.secretAccessKey().hashCode();
+        h = 31 * h + Objects.hashCode(identity.sessionToken());
+        this.hash = h;
     }
 
     String bucket() {